From 958485fa1bd40f6295fe830a73fbc3cb7e5233dc Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 28 Oct 2025 19:41:28 +0800
Subject: [PATCH] Fix CVE-2025-62611

(cherry picked from commit d26ab62ed26a8f87f4e987040d22db27872e2202)
---
 CVE-2025-62611.patch | 87 ++++++++++++++++++++++++++++++++++++++++++++
 python-aiomysql.spec |  8 +++-
 2 files changed, 93 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2025-62611.patch

diff --git a/CVE-2025-62611.patch b/CVE-2025-62611.patch
new file mode 100644
index 0000000..301197b
--- /dev/null
+++ b/CVE-2025-62611.patch
@@ -0,0 +1,87 @@
+From aa9849480d7b3bcc6182a5bfe43045cd87b2b131 Mon Sep 17 00:00:00 2001
+From: KonstantAnxiety <konstasa@yandex-team.ru>
+Date: Tue, 9 Sep 2025 17:07:11 +0300
+Subject: [PATCH] check local_infile option when receiving a LOAD_LOCAL packet
+
+Origin: https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538
+---
+ aiomysql/connection.py   |  7 ++++++-
+ tests/test_load_local.py | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/aiomysql/connection.py b/aiomysql/connection.py
+index 8bf5cbf..fc81394 100644
+--- a/aiomysql/connection.py
++++ b/aiomysql/connection.py
+@@ -205,7 +205,8 @@ class Connection:
+ 
+         self._encoding = charset_by_name(self._charset).encoding
+ 
+-        if local_infile:
++        self._local_infile = bool(local_infile)
++        if self._local_infile:
+             client_flag |= CLIENT.LOCAL_FILES
+ 
+         client_flag |= CLIENT.CAPABILITIES
+@@ -1145,6 +1146,10 @@ class MySQLResult:
+         self.has_next = ok_packet.has_next
+ 
+     async def _read_load_local_packet(self, first_packet):
++        if not self.connection._local_infile:
++            raise RuntimeError(
++                "**WARN**: Received LOAD_LOCAL packet but local_infile option is false."
++            )
+         load_packet = LoadLocalPacketWrapper(first_packet)
+         sender = LoadLocalFile(load_packet.filename, self.connection)
+         try:
+diff --git a/tests/test_load_local.py b/tests/test_load_local.py
+index aa3b45c..500a612 100644
+--- a/tests/test_load_local.py
++++ b/tests/test_load_local.py
+@@ -2,7 +2,9 @@ import builtins
+ import os
+ from unittest.mock import patch, MagicMock
+ 
++import aiomysql
+ import pytest
++from pymysql.constants import CLIENT
+ from pymysql.err import OperationalError
+ 
+ 
+@@ -81,3 +83,33 @@ async def test_load_warnings(cursor, table_local_file):
+     with warnings.catch_warnings(record=True) as w:
+         await cursor.execute(sql)
+     assert "Incorrect integer value" in str(w[-1].message)
++
++
++@pytest.mark.run_loop
++async def test_load_local_disabled(mysql_params, table_local_file):
++    # By setting the client flag, the server will be informed that we support
++    # loading local files. This validates that the client side check catches
++    # the server attempting to read files from us without having this
++    # explicitly enabled on the connection. The local_infile parameter sets
++    # the client flag, but not the other way round.
++    params = mysql_params.copy()
++    params["local_infile"] = False
++    if "client_flag" in params:
++        params["client_flag"] |= CLIENT.LOCAL_FILES
++    else:
++        params["client_flag"] = CLIENT.LOCAL_FILES
++
++    async with aiomysql.connect(**params) as conn:
++        async with conn.cursor() as cursor:
++            # Test load local infile with a valid file
++            filename = os.path.join(os.path.dirname(os.path.realpath(__file__)),
++                                    'fixtures',
++                                    'load_local_data.txt')
++            with pytest.raises(
++                RuntimeError,
++                match="Received LOAD_LOCAL packet but local_infile option is false",
++            ):
++                await cursor.execute(
++                    ("LOAD DATA LOCAL INFILE '{0}' INTO TABLE " +
++                     "test_load_local FIELDS TERMINATED BY ','").format(filename)
++                )
+-- 
+2.51.1
+
diff --git a/python-aiomysql.spec b/python-aiomysql.spec
index 136997a..fd1a883 100644
--- a/python-aiomysql.spec
+++ b/python-aiomysql.spec
@@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-aiomysql
 Version:	0.0.21
-Release:	1
+Release:	2
 Summary:	MySQL driver for asyncio.
 License:	MIT
 URL:		https://github.com/aio-libs/aiomysql
 Source0:	https://files.pythonhosted.org/packages/a9/7f/d5a409cc0bb8349d6475ee4ea42ac2a5664646fe8a85e81ce3d91f63c474/aiomysql-0.0.21.tar.gz
+Patch0: 	CVE-2025-62611.patch
 BuildArch:	noarch
 
 Requires:	python3-PyMySQL
@@ -38,7 +39,7 @@ parts of PyMySQL_ . *aiomysql* tries to be like awesome aiopg_ library and
 preserve same api, look and feel.
 
 %prep
-%autosetup -n aiomysql-0.0.21
+%autosetup -n aiomysql-%{version} -p1
 
 %build
 %py3_build
@@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Tue Oct 28 2025 yaoxin <1024769339@qq.com> - 0.0.21-2
+- Fix CVE-2025-62611
+
 * Thu Jul 22 2021 Xu Jin <jinxu@kylinos.cn> - 0.0.21-1
 - Update package to 0.0.21
 
-- 
Gitee